stt

Security checks across malware telemetry and agentic risk

Overview

This speech-to-text skill appears to do what it advertises, but it uploads selected audio to a third-party transcription API.

Install only if you are comfortable sending selected audio recordings and your SkillBoss API key to the SkillBoss/HeyBossAI service. Avoid confidential, regulated, or highly personal recordings unless third-party transcription is allowed, and store SKILLBOSS_API_KEY securely.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill sends user-provided audio to an external transcription service, but the description does not clearly warn that potentially sensitive voice content leaves the local environment. This creates a privacy and data-handling risk because users may provide recordings containing confidential, personal, or regulated information without informed consent.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script base64-encodes the full audio file and transmits it to a third-party API, but the CLI provides no explicit runtime warning, consent prompt, or privacy notice beyond a brief docstring. This can cause unintended disclosure of sensitive voice content or embedded personal information when users run the tool without realizing all audio is uploaded remotely.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal